AWS OpenSearch Fine-grained access control is disabled

Description

This policy detects AWS ElasticSearch/OpenSearch domains that do not have fine-grained access control enabled. Fine-grained access control allows you to manage access to specific domain actions based on user roles and permissions.

Code Example

resource "aws_elasticsearch_domain" "example" {
  // other arguments
  advanced_security_options {
+   enabled                        = true
+   internal_user_database_enabled = true
  }
}

Remediation

Terraform

Resource: aws_opensearch_domain, aws_elasticsearch_domain
Arguments: advanced_security_options.internal_user_database_enabled, advanced_security_options.enabled

To fix the issue, set the `fine_grained_access_control_enabled` argument to `true` in the `aws_elasticsearch_domain` resource.

Secure code example:

Rule Details

Field	Value
ID	IAC-0486
Severity	LOW
IaC Type	Terraform
Frameworks	Terraform, TerraformPlan
Checkov ID	CKV2_AWS_52

References

Checkov Rule

Overview

SAST (Application Security)

SCA (Dependencies)

Secrets Detection

IaC Security

License Compliance

SAST Rules

IaC Rules

License Rules

AWS OpenSearch Fine-grained access control is disabled

Description

Code Example

Remediation

Rule Details

References

SAST Rules

IaC Rules

License Rules

AWS OpenSearch Fine-grained access control is disabled ​

Description ​

Code Example ​

Remediation ​

Rule Details ​

References ​

AWS OpenSearch Fine-grained access control is disabled

Description

Code Example

Remediation

Rule Details

References